RBAC Cannot Run ISI_SUPPORT Commands

Question

Hello, Trying to configure RBAC for some of our AD domain users to perform administration duties on our Isilons. So far I have added a new role and added a user to that role.  The user can login via SSH and run a number of commands via sudo, but still cannot run the commands defined under the ISI_SUPPORT section in the /usr/local/etc/sudoers file.  We need to run these commands just about every day (isi_hw_status, isi_gather_info, isi_radish, etc..) Is there a way to enable these commands via the RBAC without modifying the sudoers file (or having to log in as root)?  We have 20 Isilons, so trying to keep it as simple as possible. All of the below is on the Isilon Simulator v7.1.1.4 SIM7114-1% isi auth ads list Name         Authentication  Status  Site ----------------------------------------------------- BIG.DOMAIN.COM Yes             online ----------------------------------------------------- SIM7114-1% whoami DOMAIN\AdminGuy SIM7114-1% isi_hw_status zsh: permission denied: isi_hw_status SIM7114-1% sudo isi_hw_status Password: Sorry, user DOMAIN\AdminGuy is not allowed to execute '/usr/bin/isi_hw_status' as root on SIM7114-1. SIM7114-1# isi auth roles view StorageAdmin        Name: StorageAdmin Description: -     Members: DOMAIN\AdminGuy Privileges              ID: ISI_PRIV_LOGIN_CONSOLE       Read Only: True              ID: ISI_PRIV_LOGIN_PAPI       Read Only: True              ID: ISI_PRIV_LOGIN_SSH       Read Only: True              ID: ISI_PRIV_SYS_SUPPORT       Read Only: True              ID: ISI_PRIV_ANTIVIRUS       Read Only: False              ID: ISI_PRIV_AUDIT       Read Only: False              ID: ISI_PRIV_CLUSTER       Read Only: False              ID: ISI_PRIV_DEVICES       Read Only: False              ID: ISI_PRIV_EVENT       Read Only: False              ID: ISI_PRIV_FTP       Read Only: False              ID: ISI_PRIV_HDFS       Read Only: False              ID: ISI_PRIV_HTTP       Read Only: False              ID: ISI_PRIV_ISCSI       Read Only: False              ID: ISI_PRIV_JOB_ENGINE       Read Only: False              ID: ISI_PRIV_LICENSE       Read Only: False              ID: ISI_PRIV_NDMP       Read Only: False              ID: ISI_PRIV_NETWORK       Read Only: False              ID: ISI_PRIV_NFS       Read Only: False              ID: ISI_PRIV_NTP       Read Only: False              ID: ISI_PRIV_QUOTA       Read Only: False              ID: ISI_PRIV_REMOTE_SUPPORT       Read Only: False              ID: ISI_PRIV_SMARTPOOLS       Read Only: False              ID: ISI_PRIV_SMB       Read Only: False              ID: ISI_PRIV_SNAPSHOT       Read Only: False              ID: ISI_PRIV_SNMP       Read Only: False              ID: ISI_PRIV_STATISTICS       Read Only: False              ID: ISI_PRIV_SYNCIQ       Read Only: False              ID: ISI_PRIV_VCENTER       Read Only: False              ID: ISI_PRIV_WORM       Read Only: False

johnsonka · Accepted Answer

Hello Chris_S,

Thank you for your question! Peter_Sero is correct here, there is no corresponding RBAC privilege to the commands you mentioned. The workaround he mentions will be sufficient to run these commands. In my testing, I am using a local user, but you can accomplish this with a domain user should you need to:

cluster-1# isi_visudo

## Sudoers override file.

##

## This file overrides the default configuration for sudo as provided by

## Isilon. The defaults can be found at /etc/mcp/templates/sudoers. Do not

## edit /etc/mcp/templates/sudoers.

##

## To add additional command permissions, enter the appropriate configuration

## lines below. To remove a command provided by default, enter a negation line

## below.

##

## Example:

##

## To prevent admin from running SyncIQ, uncomment the line below:

## admin ALL=(ALL) !/usr/bin/isi sync*

##

ktjoh ALL=(ALL) ISI_SUPPORT

~

/etc/mcp/override/sudoers.tmp: 16 lines, 538 characters.

isi_visudo: Warning: Cmnd_Alias `ISI_SUPPORT' referenced but not defined

cluster-1# su ktjoh

cluster-1% isi_hw_status

zsh: permission denied: isi_hw_status

cluster-1% sudo isi_hw_status

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

Password:

SerNo: SX200-301113-0027

Config: 400-0034-01

FamCode: X

ChsCode: 2U

GenCode: 00

Product: X200-2U-Single-24GB-4x1GE-5632GB-200GB SSD

Comps: Chassis CPU Motherboard NVRam FlashDrive Disk_Controller Disk_Expander Power_Supplies

Chassis: ISI12V2 (Isilon 12-Bay(V2) Chassis)

Peter_Sero · Answer

The ISI_SUPPORT command set is only relevant within the sudoers file,

and cannot be linked to any RBAC roles. As there is no corresponding "ISI_PRIV_SUPPORT"

privilege; and one cannot create new RBAC privileges...

Seems you have to stick with the plain sudoers mechanism:

use isi_visudo to add

thisusername ALL=(ALL) NOPASSWD: ISI_SUPPORT

hth

-- Peter

Isilon

Was this post helpful?